Originally Posted by Blackcrow

The problem is NATS and ElevatedX both use eval so it cant be disabled for most webmasters. The best I can tell this hacker has 2 modes of operation; he either breaks into the nats admin and uses the templates (or upload documents) to inject code or he uses outdated versions of myphpadmin. You should have IP access turned on for NATS and IP restriction on your myphpadmin install.